CVE-2021-21015 — Magento Commerce Unauthorized Data Modification Could Lead to Arbitrary Code Exe

Description

Magento versions 2.4.1 (and earlier), 2.4.0 (and earlier) and 2.3.6 (and earlier) are vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

How to fix CVE-2021-21015

To remediate CVE-2021-21015, upgrade the affected package to a fixed version below.

—upgrade to 2.3.6 or later
—upgrade to 2.3.6-p1 or later

Is CVE-2021-21015 being exploited?

Low — EPSS is 4.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.3.6, >= 2.4.0, < 2.4.2
from 0, < 2.3.6-p1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21015
PATCHgithub.com/magento/magento2
WEBgithub.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497
WEBgithub.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b